#!/bin/bash ########### # install-csf # Install the ConfigServer Firewall with better default configuration # https://stash.endurance.com/projects/HGADMIN/repos/install-csf/browse # Please submit all bug reports at https://jira.endurance.com/secure/RapidBoard.jspa?rapidView=1083&projectKey=HL # # (C) 2017 - HostGator.com, LLC ########### ver=v1.2; CSF="https://download.configserver.com/csf.tgz" # Update this with the new download URL if it ever changes TEMPDIR="/root/tmp/csf" uninstall() { if [ -e /etc/csf/hginstall ] then installver=$(cat /etc/csf/hginstall) echo "The HG $installver was used, proceeding with uninstallation." elif [ "$(echo $switch)" = "-u" ] then { echo "WARNING :: Either the HG installer was not used or a version older then 0.9 was used."; echo "Use -uf if you want to force the installer to attempt an uninstallation." echo "Please make sure the HG installer was used before forcing an uninstall." exit 1; } elif [ "$(echo $switch)" = "-uf" ] then { echo "WARNING :: FORCE UNINSTALL DETECTED. PROCEEDING WITH UNINSTALLATION." echo "IF HG INSTALL-CSF WASN'T USED THIS WILL CAUSE PROBLEMS!" sleep 1 echo "Press Enter to continue or ctrl^C to quit." read } fi echo "WARNING :: THERE MIGHT BE NO FIREWALL ON THIS SERVER AFTER UNINSTALLATION. PLEASE INSTALL A NEW FIREWALL IF NEEDED!" echo "STOPPING CSF" if test `cat /proc/1/comm` = "systemd"; then systemctl stop csf.service echo "STOPPING LFD" systemctl stop lfd.service echo "REMOVING CSF and LFD systemd SCRIPTS" systemctl disable csf.service systemctl disable lfd.service rm -fv /usr/lib/systemd/system/csf.service rm -fv /usr/lib/systemd/system/lfd.service systemctl daemon-reload else /sbin/service csf stop echo "STOPPING LFD" /sbin/service lfd stop echo "REMOVING CSF AND LFD FROM CHKCONFIG" /sbin/chkconfig csf off /sbin/chkconfig lfd off /sbin/chkconfig --del csf /sbin/chkconfig --del lfd echo "REMOVING CSF and LFD init SCRIPTS" rm -fv /etc/init.d/csf rm -fv /etc/init.d/lfd fi echo "FLUSHING IPTABLES RULES" /sbin/iptables --flush /sbin/service iptables save /sbin/service iptables restart echo "UNREGISTERING cPanel APP" if [ -e "/usr/local/cpanel/bin/unregister_appconfig" ] ; then cd / /usr/local/cpanel/bin/unregister_appconfig csf fi echo "REMOVING CSF/LFD MISC. FILES" rm -fv /usr/sbin/csf rm -fv /usr/sbin/lfd rm -fv /etc/chkserv.d/lfd rm -fv /etc/cron.d/csf_update rm -fv /etc/cron.d/lfd-cron rm -fv /etc/cron.d/csf-cron rm -fv /etc/logrotate.d/lfd rm -fv /usr/local/man/man1/csf.man.1 rm -fv /var/run/chkservd/lfd echo "BACKING UP THE CSF CONFIGURATION" mv /etc/csf /etc/csf.bak echo "REMOVING cPanel PLUGIN FILES" rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_csf.cgi rm -rfv /usr/local/cpanel/whostmgr/docroot/cgi/csf rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/configserver/csf.cgi rm -rfv /usr/local/cpanel/whostmgr/docroot/cgi/configserver/csf echo "REMOVING LFD FROM CHKSERVD" sed -ie 's/lfd:1//g' /etc/chkserv.d/chkservd.conf echo "RESTARTING CHKSERVD" /scripts/restartsrv_chkservd echo "CLEANING UP REMAINING CSF DIRECTORIES" rm -rfv /usr/local/csf /var/lib/csf echo " " echo " " echo "WARNING :: THERE MIGHT NOT BE A FIREWALL ON THIS SERVER. PLEASE INSTALL A NEW FIREWALL IF NEEDED!" } prepare() { if [ ! -d "$TEMPDIR" ]; then mkdir -p "$TEMPDIR" &>/dev/null; fi cd "$TEMPDIR" # CSF won't work if cPanel has the SMTP tweak enabled echo -n "Checking for SMTP tweak: " if [ -f "/var/cpanel/smtpgidonlytweak" ]; then echo "Found (disabling)" rm -f /var/cpanel/smtpgidonlytweak &>/dev/null echo -n "Restarting cPanel: " service cpanel restart &>/dev/null echo "OK" else echo "OK (not found)" fi # check for conflicting products. if [ -e "/etc/cron.d/bfd" ]; then echo "ERROR: BFD is installed. Exiting." exit 2 else echo "OK: BFD not found (conflicting product)" fi if [ -e "/etc/cron.daily/fw" ]; then echo "ERROR: APF appears to be installed and will conflict. Exiting." exit 2 else echo "OK: APF not found (conflicting product)" fi echo cd "$TEMPDIR" echo #check for Cent 6 if test `cat /proc/1/comm` != "systemd"; then release=$(cat /etc/redhat-release | awk '{print $3}' | cut -d . -f1); if [ $release -ge 6 ]; then releasev=$(cat /etc/redhat-release | awk '{print $3}') echo "CentOS $releasev detected : Skipping klogd and syslog checks." else # Turn on klogd if skipped in syslog sed -ie 's/passed klogd skipped #//g' /etc/init.d/syslog /etc/init.d/syslog restart # check for requirements. klogd_enabled=$(grep -vE "^\#" /etc/init.d/syslog|grep klogd|wc -l) if [ "0" = "$klogd_enabled" ]; then echo "ERROR: klogd is required but does not appear to be configured. Exiting." ; exit 2 ; fi klogd_running=$(ps ax|grep klog|grep -v grep|wc -l) if [ "0" = "$klogd_running" ]; then echo "ERROR: klogd is required but does not appear to be running. Exiting." ; exit 2 ; fi fi fi } install_csf() { echo -n "Downloading CSF: " wget $CSF -O "$TEMPDIR/csf.tgz" &>/dev/null echo "OK" tar -zxvf csf.tgz &>/dev/null cd ./csf echo -n "Installing CSF: " sh install.sh &>/dev/null if [ "0" = "$?" ]; then { echo "OK" echo "install-csf $ver" > /etc/csf/hginstall; echo "ConfigServer Firewall installed" $(date +%D)". Configuration at /etc/csf/" >> /root/.motd } else echo "Failed" exit 2 fi } uncomment_tweak() { if [ -z "$3" ]; then echo "uncomment_tweak requires " ; return ; fi if [ ! -f "$3" ]; then echo "uncomment_tweak: file does not exist ($2)" ; return ; fi sed -i -e 's/^\#${1}.*/${2}/g' -e 's/${1}.*/${2}/g' "${3}" } configure_csf_allow(){ echo "Editing: /etc/csf/csf.allow" grep -E "^70.87.80.194" /etc/csf/csf.allow &>/dev/null || \ echo "- Adding 50.23.47.206/32 to /etc/csf/csf.allow (wizard2)" && \ echo "50.23.47.206/32 # HostGator Support (do not remove)" >> /etc/csf/csf.allow && \ echo "- Adding 50.23.47.206/32 to /etc/csf/csf.ignore (wizard2)" && \ echo "50.23.47.206/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore echo "- Adding 74.220.198.220/32 to /etc/csf/csf.allow (wizard3)" && \ echo "74.220.198.220/32 # HostGator Support (do not remove)" >> /etc/csf/csf.allow && \ echo "- Adding 74.220.198.220/32 to /etc/csf/csf.ignore (wizard3)" && \ echo "74.220.198.220/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore echo "- Adding 192.185.0.100/32 to /etc/csf/csf.allow (wizard4)" && \ echo "192.185.0.100/32 # HostGator Support (do not remove)" >> /etc/csf/csf.allow && \ echo "- Adding 192.185.0.100/32 to /etc/csf/csf.ignore (wizard4)" && \ echo "192.185.0.100/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore echo "- Adding 108.167.133.72/32 to /etc/csf/csf.allow (Zabbix)" && \ echo "108.167.133.72/32 # HostGator Support (do not remove)" >> /etc/csf/csf.allow echo "- Adding 108.167.133.73/32 to /etc/csf/csf.ignore (Zabbix)" && \ echo "108.167.133.73/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore echo "- Adding 108.167.133.74/32 to /etc/csf/csf.ignore (Zabbix)" && \ echo "108.167.133.74/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore echo "- Adding 108.167.133.75/32 to /etc/csf/csf.ignore (Zabbix)" && \ echo "108.167.133.75/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore echo "- Adding 108.167.139.50/32 to /etc/csf/csf.ignore (Zabbix)" && \ echo "108.167.139.50/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore if [ -f "/etc/resolv.conf" ]; then for ip in `grep nameserver /etc/resolv.conf | sed -e "s/^nameserver //g"`; do echo "- Adding $ip to /etc/csf/csf.allow and csf.ignore (from resolv.conf)" echo "$ip:tcp:in:s=53 # DNS Server (do not remove)" >> /etc/csf/csf.allow echo "$ip:udp:in:s=53 # DNS Server (do not remove)" >> /etc/csf/csf.allow echo "$ip:tcp:out:d=53 # DNS Server (do not remove)" >> /etc/csf/csf.allow echo "$ip:udp:out:d=53 # DNS Server (do not remove)" >> /etc/csf/csf.allow echo "$ip # DNS Server (do not remove)" >> /etc/csf/csf.ignore done echo "Editing: /etc/csf/csf.ignore" # whitelist local IPs: grep -E "^IPADDR" /etc/sysconfig/network-scripts/ifcfg*|awk -F"=" '{print $2}'|while read ip; do grep "$ip" /etc/csf/csf.ignore &>/dev/null || echo "- Adding $ip to /etc/csf/csf.ignore (Local IP)" && \ echo "$ip # Local IP: Do not remove" >> /etc/csf/csf.ignore done # whitelist our gateway: for ip in `grep -E "^GATEWAY=" /etc/sysconfig/network-scripts/ifcfg*|awk -F"=" '{print $2}'`; do grep "$ip" /etc/csf/csf.ignore &>/dev/null || echo "- Adding $ip to /etc/csf/csf.ignore (Gateway)" && \ echo "$ip # Local Gateway: Do not remove" >> /etc/csf/csf.ignore done for ip in \ 74.125.0.0/24 66.249.64.0/19 ; do grep "$ip" /etc/csf/csf.ignore &>/dev/null || echo "- Adding $ip to /etc/csf/csf.ignore (Google)" && \ echo "$ip # GoogleBot: Do not remove" >> /etc/csf/csf.ignore done for ip in \ 209.191.64.0/18; do grep "$ip" /etc/csf/csf.ignore &>/dev/null || echo "- Adding $ip to /etc/csf/csf.ignore (Yahoo)" && \ echo "$ip # Yahoo Crawler: Do not remove" >> /etc/csf/csf.ignore done for ip in 70.85.125.144/28 70.85.125.160/27 70.85.125.192/28; do grep "$ip" /etc/csf/csf.ignore &>/dev/null || echo "- Adding $ip to /etc/csf/csf.ignore (CiscoGuard)" && \ echo "$ip # ThePlanet CiscoGuard Anti-DDOS: Do not remove" >> /etc/csf/csf.ignore done # https://www.scanalert.com/help/scanips.jsp for ip in 64.14.3.193/26 64.41.168.241/28 64.14.3.193/26 216.35.7.96/27 \ 209.67.114.0/26 165.193.42.64/26 203.82.140.96/28 210.59.224.251/32 \ 210.61.79.253/32 203.66.219.16/32 ; do grep "$ip" /etc/csf/csf.ignore &>/dev/null || echo "- Adding $ip to /etc/csf/csf.ignore (PCI/Scanalert)" && \ echo "$ip # PCI Compliance: ScanAlert: Do notemove" >> /etc/csf/csf.ignore done fi } configure_csf_ignore(){ echo "Editing: /etc/csf/csf.ignore" grep -E "^70.87.80.194" /etc/csf/csf.ignore &>/dev/null || \ echo "- Adding 70.87.80.194/32 to ignore (wizard)" && \ echo "70.87.80.194/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore grep -E "^192.185.1.20" /etc/csf/csf.ignore &>/dev/null || \ echo "- Adding 192.185.1.20/32 to ignore (Houston Support)" && \ echo "192.185.1.20/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore grep -E "^192.185.1.22" /etc/csf/csf.ignore &>/dev/null || \ echo "- Adding 192.185.1.22/32 to ignore (Houston Support)" && \ echo "192.185.1.22/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore grep -E "^173.227.74.5" /etc/csf/csf.ignore &>/dev/null || \ echo "- Adding 173.227.74.5/32 to ignore (Austin Support)" && \ echo "173.227.74.5/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore grep -E "^173.227.74.6" /etc/csf/csf.ignore &>/dev/null || \ echo "- Adding 173.227.74.5/32 to ignore (Austin Support)" && \ echo "173.227.74.5/32 # HostGator Support (do not remove)" >> /etc/csf/csf.ignore } configure_csf_deny(){ echo "Editing: /etc/csf/csf.deny" grep -E "^192.168" /etc/csf/csf.deny &>/dev/null || \ echo "- Adding 192.168.0.0/16 to deny" && \ echo "192.168.0.0/16 # Non-Routable Address Space" >> /etc/csf/csf.deny grep -E "^10." /etc/csf/csf.deny &>/dev/null || \ echo "- Adding 10.0.0.0/8 to deny" && \ echo "10.0.0.0/8 # Non-Routable Address Space" >> /etc/csf/csf.deny grep -E "^172.16" /etc/csf/csf.deny &>/dev/null || \ echo "- Adding 172.16.0.0/16 to deny" && \ echo "172.16.0.0/16 # Non-Routable Address Space" >> /etc/csf/csf.deny grep -E "^192.168" /etc/csf/csf.deny &>/dev/null || \ echo "- Adding 192.168.0.0/16 to deny" && \ echo "192.168.0.0/16 # Non-Routable Address Space" >> /etc/csf/csf.deny grep -E "^169.254" /etc/csf/csf.deny &>/dev/null || \ echo "- Adding 169.254.0.0/16 to deny" && \ echo "169.254.0.0/16 # Non-Routable Address Space" >> /etc/csf/csf.deny } configure_csf_conf(){ echo "Editing: /etc/csf/csf.conf" echo "- Setting TESTING=0" sed -ie "s/^TESTING = .*/TESTING = \"0\"/g" /etc/csf/csf.conf echo "- Setting AUTO_UPDATES=1" sed -ie "s/^AUTO_UPDATES = .*/AUTO_UPDATES = \"1\"/g" /etc/csf/csf.conf echo "- Setting LF_TRIGGER_PERM to 15 minutes (default)" sed -ie "s/^LF_TRIGGER_PERM = .*/LF_TRIGGER_PERM = \"900\"/g" /etc/csf/csf.conf echo "- Setting SSH failure to 20 / 30 min ban" sed -ie "s/^LF_SSHD = .*/LF_SSHD = \"20\"/g" /etc/csf/csf.conf sed -ie "s/^LF_SSHD_PERM = .*/LF_SSHD_PERM = \"3600\"/g" /etc/csf/csf.conf echo "- Setting SMTP failure rate to 20 / 5 min ban" sed -ie "s/^LF_SMTPAUTH = .*/LF_SMTPAUTH = \"20\"/g" /etc/csf/csf.conf sed -ie "s/^LF_SMTPAUTH = .*/LF_SMTPAUTH = \"300\"/g" /etc/csf/csf.conf echo "- Setting POP3 failure rate to 20 / 5min ban" sed -ie "s/^LF_POP3D = .*/LF_POP3D = \"20\"/g" /etc/csf/csf.conf sed -ie "s/^LF_POP3D_PERM = .*/LF_POP3D_PERM = \"300\"/g" /etc/csf/csf.conf echo "- Setting HTTP auth failure detection to 0 (disabled)" sed -ie "s/^LF_HTACCESS = .*/LF_HTACCESS = \"0\"/g" /etc/csf/csf.conf sed -ie "s/^LF_HTACCESS_PERM = .*/LF_HTACCESS_PERM = \"300\"/g" /etc/csf/csf.conf echo "- Setting MODSEC failure detection to 0 (disabled)" sed -ie "s/^LF_MODSEC = .*/LF_MODSEC = \"0\"/g" /etc/csf/csf.conf sed -ie "s/^LF_MODSEC_PERM = .*/LF_MODSEC_PERM = \"300\"/g" /etc/csf/csf.conf echo "- Setting cPanel logi failures to 15 / 15min ban" sed -ie "s/^LF_CPANEL = .*/LF_CPANEL = \"15\"/g" /etc/csf/csf.conf sed -ie "s/^LF_CPANEL_PERM = .*/LF_CPANEL_PERM = \"3600\"/g" /etc/csf/csf.conf echo "- Setting suhosin detection to 0 (disabled)" sed -ie "s/^LF_SUHOSIN = .*/LF_SUHOSIN = \"0\"/g" /etc/csf/csf.conf sed -ie "s/^LF_SUHOSIN_PERM = .*/LF_SUHOSIN_PERM = \"180\"/g" /etc/csf/csf.conf echo "- Setting LF_SPAMHAUS=604800" # 1 day ban if on SpamHaus list sed -ie "s/^LF_SPAMHAUS = \"0\"/LF_SPAMHAUS = \"86400\"/g" /etc/csf/csf.conf echo "- Setting CT_LIMIT=300" sed -ie "s/^CT_LIMIT = .*/CT_LIMIT = \"300\"/g" /etc/csf/csf.conf echo "- Setting CT_BLOCK_TIME=900" sed -ie "s/^CT_BLOCK_TIME = .*/CT_BLOCK_TIME = \"900\"/g" /etc/csf/csf.conf echo "- Setting LF_SCRIPT_LIMIT=1000" sed -ie "s/^LF_SCRIPT_LIMIT = .*/LF_SCRIPT_LIMIT = \"1000\"/g" /etc/csf/csf.conf echo "- Setting LF_SCRIPT_ALERT=1" sed -ie "s/^LF_SCRIPT_ALERT = .*/LF_SCRIPT_ALERT = \"1\"/g" /etc/csf/csf.conf echo "- Setting LF_DSHIELD=86400" sed -ie "s/LF_DSHIELD = \"0\"/LF_DSHIELD = \"86400\"/g" /etc/csf/csf.conf echo "- Disabling email warning for SSH login" sed -ie "s/^LF_SSH_EMAIL_ALERT = \"1\"/LF_SSH_EMAIL_ALERT = \"0\"/g" /etc/csf/csf.conf echo "- Connection Tracking Options" echo " Setting CT_INTERVAL=120" sed -ie "s/^CT_INTERVAL = .*/CT_INTERVAL = \"120\"/g" /etc/csf/csf.conf echo " Setting connection blocks to temporary" sed -ie "s/^CT_PERMANENT = .*/CT_PERMANENT = \"0\"/g" /etc/csf/csf.conf echo " Setting blocktime to 30 minutes" sed -ie "s/^CT_BLOCK_TIME = .*/CT_BLOCK_TIME = \"1800\"/g" /etc/csf/csf.conf echo " Setting skip time_wait to on" sed -ie "s/^CT_SKIP_TIME_WAIT = .*/CT_SKIP_TIME_WAIT = \"1\"/g" /etc/csf/csf.conf echo "- Process Tracking Options" echo " Setting Process Tracking Minimum Life to 180 seconds" sed -ie "s/^PT_LIMIT = .*/PT_LIMIT = \"180\"/g" /etc/csf/csf.conf echo " Setting Process Tracking Check to 120 seconds" sed -ie "s/^PT_INTERVAL = .*/PT_INTERVAL = \"120\"/g" /etc/csf/csf.conf echo " Verifying process killing is disabled" sed -ie "s/^PT_USERKILL = .*/PT_USERKILL = \"0\"/g" /etc/csf/csf.conf echo "- PortScan Options" echo " Disabling PortScan Block" sed -ie "s/^PS_INTERVAL = .*/PS_INTERVAL = \"0\"/g" /etc/csf/csf.conf echo " Disabling PortScan permanent blocks" sed -ie "s/^PS_PERMANENT = .*/PS_PERMANENT = \"0\"/g" /etc/csf/csf.conf echo "- Setting Integrity check to every 8 hours (from every hour)" sed -ie "s/^LF_INTEGRITY = .*/LF_INTEGRITY = \"28800\"/g" /etc/csf/csf.conf echo "- Increasing POP3/hour from 60 to 120" sed -ie "s/^LT_POP3D = .*/LT_POP3D = \"120\"/g" /etc/csf/csf.conf if [ -e /usr/local ]; then echo "- Adding Rules for Plesk ports" sed -ie 's/20,21,22,25,53,80,110,143,443,465,587,993,995,2222/20,21,22,25,53,80,110,113,143,443,465,587,993,995,2222,8443,8447,8880/g' /etc/csf/csf.conf sed -ie 's/20,21,22,25,53,80,110,113,443/20,21,22,25,53,80,110,113,443,5224/g' /etc/csf/csf.conf fi echo "- SUGGESTED: SMTP_BLOCK=1 (leaving as 0 for now)" echo "- SUGGESTED: GLOBAL_ALLOW = \"dedi.rsync.hostgator.com/csf/allow.txt\" (doesn't exist yet)" echo "- SUGGESTED: GLOBAL_DENY = \"dedi.rsync.hostgator.com/csf/deny.txt\" (doesn't exist yet)" echo } configure_sshd_config(){ # --- tune sshd --- if [ -f "/etc/ssh/sshd_config" ]; then echo "Editing: /etc/ssh/sshd_config" echo "- Disabling ssh v1" uncomment_tweak "Protocol " "Protocol 2" /etc/ssh/sshd_config echo "- Setting KeySize to 2048" uncomment_tweak "ServerKeyBits " "ServerKeyBits 2048" /etc/ssh/sshd_config echo "- Setting LoginGraceTime to 2m" uncomment_tweak "LoginGraceTime " "LoginGraceTime 2m" /etc/ssh/sshd_config echo "- Setting MaxAuthTries 3" uncomment_tweak "MaxAuthTries " "MaxAuthTries 3" /etc/ssh/sshd_config echo "- Setting UsePrivSep to yes" uncomment_tweak "UsePrivilegeSeparation " "UsePrivilegeSeparation yes" /etc/ssh/sshd_config echo "- Setting MaxStartups to 5" uncomment_tweak "MaxStartups " "MaxStartups 5" /etc/ssh/sshd_config fi echo "Restarting: sshd" if test `cat /proc/1/comm` = "systemd"; then systemctl restart sshd.service else if [ -e "/etc/init.d/sshd" ]; then /sbin/service sshd restart &>/dev/null ; fi fi } configure_csf_pignore(){ if [ -f "/etc/csf/csf.pignore" ]; then echo "Editing: /etc/csf/csf.pignore" if [ -e "/usr/local/psa/bin/product_info" ]; then echo "- Adding Plesk Processes to csf.pignore" echo "exe:/usr/bin/sw-engine-cgi" >> /etc/csf/csf.pignore echo "cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm" >> /etc/csf/csf.pignore echo "user:psaadm" >> /etc/csf/csf.pignore echo "exe:/usr/libexec/mysqld" >> /etc/csf/csf.pignore echo "cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql –pid-file=/var/run/mysqld/mysqld.pid –skip-external-locking –socket=/var/lib/mysql/mysql.sock" >> /etc/csf/csf.pignore echo "user:mysql" >> /etc/csf/csf.pignore echo "user:admin" >> /etc/csf/csf.pignore fi grep -i "/usr/local/cpanel/3rdparty/mailman/bin/qrunner" /etc/csf/csf.pignore &>/dev/null || \ echo "- Adding /usr/local/cpanel/3rdparty/mailman/bin/qrunner" && \ echo "exe:/usr/local/cpanel/3rdparty/mailman/bin/qrunner" >> /etc/csf/csf.pignore grep -i "/usr/sbin/mysqld" /etc/csf/csf.pignore &>/dev/null || \ echo "- Adding /usr/sbin/mysqld" && \ echo "exe:/usr/sbin/mysqld" /etc/csf/csf.pignore >> /etc/csf/csf.pignore grep -i "/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl" /etc/csf/csf.pignore &>/dev/null || \ echo "- Adding /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl" && \ echo "exe:/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl" >> /etc/csf/csf.pignore fi } configure_csf_dirwatch(){ # --- tune watched dirs/files grep "^/etc/ssh/sshd_config" /etc/csf/csf.dirwatch &>/dev/null || echo "/etc/ssh/sshd_config" >> /etc/csf/csf.dirwatch \ && echo "- Adding /etc/ssh/sshd_config file to watchlist" } configure_csf() { configure_csf_allow configure_csf_ignore configure_csf_deny configure_csf_conf configure_sshd_config configure_csf_pignore configure_csf_dirwatch } stop_services() { echo "Stopping/Disabling Services" for service in anacron avahi-daemon avahi-dnsconfd bluetooth canna cups gpm hidd iiim nfslock nifd pcscd \ rpcidmapd saslauthd sbadm webmin xfs ; do echo "- Stopping: $service" service $service stop &>/dev/null chkconfig $service off &>/dev/null done } set_permissions() { for folder in /tmp /var/tmp ; do echo "Setting $folder to 1777" chmod 1777 $folder &>/dev/null done } update_csf() { echo echo "Checking for CSF updates ..." echo /usr/sbin/csf --update } restart_csf() { if [ -e "/etc/rc.d/init.d/lfd" ] || [ -e "/usr/lib/systemd/system/lfd.service" ]; then echo -n "Restarting LFD: " /sbin/service lfd restart &>/dev/null echo "OK" fi if [ -e "/etc/rc.d/init.d/csf" ] || [ -e "/usr/lib/systemd/system/csf.service" ]; then echo -n "Restarting CSF: " /sbin/service csf restart &>/dev/null echo "OK" fi } cleanup() { rm -rf "$TEMPDIR" &>/dev/null } hgfirewall() { if [ -e "/usr/sbin/firewall" ]; then echo "HG Firewall Detected. Removing HG Firewall." /sbin/service firewall stop chkconfig --del firewall rm -f /etc/init.d/firewall rm -f /usr/sbin/firewall mv /etc/firewall{,.Backup-$(date +%s)} if [ -e "/usr/local/cpanel/whostmgr/docroot/cgi/addon_hgfirewall.cgi" ]; then rm -f /usr/local/cpanel/whostmgr/docroot/cgi/addon_hgfirewall.cgi fi /sbin/iptables --flush /sbin/service iptables restart fi } plesku() { if [ -e "/usr/local/psa/bin/product_info" ]; then clear echo "PLESK SERVER." echo " " echo "Turning the Plesk Firewall back on after uninstallation." touch /usr/local/psa/var/modules/firewall/active.flag chkconfig --add psa-firewall service psa-firewall start fi } plesk() { if [ -e "/usr/local/psa/bin/product_info" ]; then echo "Plesk Server Installation." echo " " echo "Turning off Plesk Firewall." service psa-firewall stop echo "Removing the PSA Firewall active.flag" rm -fv /usr/local/psa/var/modules/firewall/active.flag echo "Removing psa-firewall from chkconfig" chkconfig --del psa-firewall fi } clear switch="$(echo $1)"; # Uninstall if -u or -uf passed from command line. if [ "$(echo $1)" = "-u" -o "$(echo $1)" = "-uf" ] then uninstall plesku fi # Install if -i passed from command line if [ "$(echo $1)" = "-i" ] then { plesk hgfirewall prepare install_csf configure_csf stop_services set_permissions update_csf restart_csf cleanup } fi # Print usage and exit. if [ "$(echo $1)" = "-v" ] then echo "install-csf $ver"; fi if [ -z "$(echo $1)" ] then { echo "This is the CSF installation script. Please run this script"; echo "as follows :"; echo " "; echo "install-csf -i :: to install" echo "install-csf -u :: to uninstall" echo "install-csf -v :: to print the current version"; } fi